Passive Recon: Collapsing your target's wavefunction.

An open and accurate accounting of the available intelligence for an individual, organization, or business is typically an undervalued component of both offensive and defensive information security activities. From the defender.s perspective, it is important to understand how the source, content, and fidelity of publicly available data can affect the overall security posture of the organization. For the attacker, the gathering and analysis of publicly available data, which often includes usernames, emails, hostnames, subnets, technologies deployed, new product initiatives, employee habits, hobbies, and relationships, will provide actionable intelligence products that can be leveraged to gain a foothold in the target organization and provide the foundation for a successful attack. This presentation will cover intelligence sources, gathering and analysis methods, and the supporting toolset. Individual use cases will highlight how a specific piece of information can be developed into an actionable intelligence product that can then be incorporated into a larger attack plan. This presentation also provides suggestions for limiting, detecting, and mitigating against the information that is made available to the public.

Transcript of "Passive Recon: Collapsing your target's wavefunction."

2.
caveats / notes
1.
2.
3.
“We are standing on the shoulders of giants.” Numerous references have
been provided throughout the talk. Additional materials will be provided
for further reading in an appendix.
This talk is about the principles, methodology, process for performing
passive reconnaissance using tools and methods developed by a
community of researchers.
The tools, artifacts/raw data, and intelligence products presented are not
intended to be comprehensive. Every customer provides a new and
interesting challenge.

31.
passive recon: process notes
• Native search functions will miss data (Facebook graph and LinkedIn
search)
• Hacker tools will miss data
• Take ridiculously detailed notes
• Don’t underestimate the importance of taking the time to use
Google/Bing advanced search functions in new and creative ways
• Be prepared to change objectives based on newly returned data
• Take ridiculously detailed notes
• Always be working towards an intelligence-product
• Organize your notes so they will still make sense 30 days from now [
Evernote (local), Zim, Keepnote, etc.]
• Some of our most interesting finds have fallen out of extremely tedious
long term manual search methods.

32.
passive recon – mitigations [org.]
- Be at least as knowledgeable as the attacker.
- Perform passive recon against your own organization.
- Do you know how you make money?
- Where are your critical resources? What would be the death blow for the
organization?
- How would you plan an attack?
- Acceptable Use policy (AUP) for social media
- Monitoring of Social Media 1,2
- Public Affairs Office (PAO)
- Is there a process for the public release of information. Are there people
involved other than sales and marketing? How do they handle metadata?
- Use the free monitoring tools:
- google alerts, yahoo pipes, RSS readers
- twitter search, social media APIs
- SearchDiggity
- Consider one or more paid services 3
1.
2.
3.
http://sproutsocial.com/features/social-media-monitoring
http://www.cnn.com/2013/09/14/us/california-schools-monitor-social-media/index.html
https://pwnedlist.com/services

41.
footprinting – process notes
• Don’t underestimate the importance of **native** administrative tools
• Understand exactly what a tool will do before you run it
–
–
–
–
–
What are you after?
What Snort signatures may fire?
What kind of load does it put on the target system
What is the frequency of requests?
For web requests, what User agents are used?
• Investigate **every** finding no matter how esoteric
• Take ridiculously detailed notes [ date, time, tool used, command
run, switches used, file saved ]
• Organize your notes so they will still make sense 30 days from now [
Evernote (local), Zim, Keepnote, etc.]
• Mind your surroundings
–
–
–
–
Is this system in scope?
What makes this system an attractive target?
Should I trust my results? Do they make sense?
What do I hope to gain? PHI, PII, beachhead, user credentials?